Aric, To clarify my intent - it was that the blocking of wget/curl/etc tool use except as allowed by regex rules, is the onerous part since there are many different uses and it will be difficult to create/maintain the regexp rules.
I actually would *prefer* use of an external service such as VirusTotal that could flag risky content sources however they do it (FQDN, IP, etc though they are not a perfect solution either), since at least any private-subnet targets for wget/curl would pass that test. Of course, one could argue that if a DNS is hacked then even curl for Keystone APIs can result in a vulnerability... but we have limits in what we can achieve. And such hacks would threaten use of the same resources even via python libraries e.g. for OpenStack clients, so it's not just curl/wget that would be at risk. Thanks, Bryan Sullivan | AT&T -----Original Message----- From: opnfv-tech-discuss-boun...@lists.opnfv.org [mailto:opnfv-tech-discuss-boun...@lists.opnfv.org] On Behalf Of Aric Gardner Sent: Thursday, March 08, 2018 7:21 AM To: Fatih Degirmenci <fatih.degirme...@ericsson.com> Cc: opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org> Subject: Re: [opnfv-tech-discuss] [releng][security][infra] Anteater Improvements Hi Faith, Regarding your comments on reproducibility and traceability. If we are not blocking ips, which I agree with Bryan is heavy handed from a practical perspective. Perhaps ant eater could create a report of external sources per repository, and then exit 0. The developers could then be alerted to our concerns. Gerrit Comment or email to ptl: "Hi $project developer" Here are external ips connected to your build. {list goes here} If any of these sources should go offline, your builds will no longer be reproducible or traceable. Please consider this carefully. If you need a file hosted, contact helpdesk and they will be happy to put in on artifacts.opnfv.org Or something like that.. -Aric On Thu, Mar 8, 2018 at 9:11 AM, Fatih Degirmenci <fatih.degirme...@ericsson.com> wrote: > Hi Luke, > > > > I have few comments and followup questions regarding this: > > “This in turn means we won't raise alarms over curl, git clone and wget and > will instead check the IP addresses or URLS that those commands query. This > should make anteater a lot less chatty at gate.” > > > > You might remember that one of the reasons we have checks for curl/wget is > to find out if projects pull artifacts from unknown IPs during > build/deployment/testing. > > These are not malicious but we have seen that few of the IPs where the > projects fetch the artifacts belong to non-production/personal devices that > tend to disappear over time. > > As you know, this is an important issue from reproducibility and > traceability perspectives. > > > > Now the questions are; > > Assuming the IPs are not explicitly added to exception list for the > corresponding project, do you mean that we will stop flagging changes/files > that contain wget/curl against unknown IPs if they are not marked as > malicious on VirusTotal? > > We also had plans to make anteater checks voting/blocking. Will we discard > this plan since wget/curl against IPs are not even planned to be flagged? > > > > /Fatih > > From: <opnfv-tech-discuss-boun...@lists.opnfv.org> on behalf of Luke Hinds > <lhi...@redhat.com> > Date: Thursday, 8 March 2018 at 14:02 > To: "opnfv-tech-discuss@lists.opnfv.org" > <opnfv-tech-discuss@lists.opnfv.org> > Subject: [opnfv-tech-discuss] [releng][security][infra] Anteater > Improvements > > > > Hello, > > I have some changes to improve the reporting ability and hopefully tone down > the false positives. > > Aneater will now interface with the VirusTotal public API: > > 1. If anteater finds a public IP address, the DNS history will be quiered to > see if the IP has past or present associations with malicious domains. > > > > 2. If a URL is found, it is checked against the VirusTotal API to see if its > marked as malicous. > > 3. Binaries will be sent to VirusTotal for a scan by the aggregation of > scanners hosted there. > > For anyone wanting a demo, please see the following: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__asciinema.org_a_JfzUPWpBGm0wDKPCN3KlK2DK0&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0&m=6EsJ-DUgsI7-DkbjEXxGjzptgs4TvKq5mEEloPNPaPs&s=dzAbMw0YSraSqGU7H20vdxbFs2N_XOGvATnqWbreIac&e= > > > I will work with various people to get this rigged into CI. > > This in turn means we won't raise alarms over curl, git clone and wget and > will instead check the IP addresses or URLS that those commands query. This > should make anteater a lot less chatty at gate. > > Cheers, > > Luke > > > _______________________________________________ > opnfv-tech-discuss mailing list > opnfv-tech-discuss@lists.opnfv.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opnfv.org_mailman_listinfo_opnfv-2Dtech-2Ddiscuss&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0&m=6EsJ-DUgsI7-DkbjEXxGjzptgs4TvKq5mEEloPNPaPs&s=zWwal0xhvRoCmujpuFuhA22LpAlUXFhdLXKI42yJojc&e= > > _______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opnfv.org_mailman_listinfo_opnfv-2Dtech-2Ddiscuss&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0&m=6EsJ-DUgsI7-DkbjEXxGjzptgs4TvKq5mEEloPNPaPs&s=zWwal0xhvRoCmujpuFuhA22LpAlUXFhdLXKI42yJojc&e= _______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
